UNC2546 appears to be motivated by financial gain. Known victims so far, include Canadian airplane manufacturer Bombardier, the American Bureau of Shipping, Netherlands-based Fugro, life sciences company Danaher, Singapore’s state-owned telecommunications company SingTel, and Transport for New South Wales.
These data exfiltration attacks are unusual in that the perpetrators did not install ransomware. This suggests a change in the tactics, techniques, and procedures (TTPs) of cybercriminals. It makes it more difficult for victims to detect anomalous behaviour in their systems as files are not encrypted. Victims are likely to remain unaware until they receive a demand for payment - or their files are uploaded to the Clop website.
At Threat Essentials, we rapidly detect when customers’ data have been leaked before it attracts widespread public attention so that customers can respond proactively to the situation.
We’ve seen that there are currently 26 companies listed on the Clop website, 24 of whom have had data leaked beyond Proof of Compromise (PoC) files. Some of the files have attracted more than 100,000 views - high by dark web standards. We have also noticed that since last week, the data of at least one target has been removed, suggesting a victim may have paid the ransom, or cybercriminals have purchased the data.
We’ve also observed that the Accellion FTA leaks follow a similar pattern for nearly every target. Emails are usually published first; PoC files often consist of emails, confidential files, or passports; driving licences and photos of staff where available. In essence, it appears the most commercially sensitive documents and Personally Identifiable Information are published to apply pressure on victims who have declined to pay the ransom. In two most recent data leaks, only the victims’ PoCs have been uploaded. This suggests there is a delay between the uploading of PoCs and full publication of stolen data.
What we recommend?
If you can discover a PoC of your data before the full data leak occurs, you should be better placed to put mitigations in place before any of it becomes public.
Proactively mitigate your cyber risk through Threat Essentials’ unique threat intelligence platform by increasing awareness of any data that may have been exfiltrated surreptitiously. Gain understanding of who has it, their motivations and what they intend to do with it before malicious actors can maximise their leverage over your data.